What is CVE-2026-46022?

CVE-2026-46022 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 2.6.13 onward and patched in 5.10.258, 5.15.209, 6.1.175 and others. CVE-2026-46022 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-46022?

CVE-2026-46022 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-46022?

Yes, CVE-2026-46022 has been patched. Fixed versions include 5.10.258, 5.15.209, 6.1.175 and others. If you are running Linux kernel 2.6.13 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-46022 actively exploited?

CVE-2026-46022 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-46022

In the Linux kernel, the following vulnerability has been resolved: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE_QUEUE_SIZE (60). A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started. The root cause is that get_queue_reader() and get_queue_writer() return raw readl() values that are passed directly into get_queue_entry(), which computes: queue_begin + reader * sizeof(struct remote_input) with no bounds check. This unchecked MMIO address is then passed to memcpy_fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception. Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of the loop body, before any call to get_queue_entry(). On an out-of-range value, reset the reader register to 0 via set_queue_reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient.

Package Linux Kernel

Published 2026-05-27

Last modified 2026-06-01

Patch available

Yes

Affected versions

Linux kernel versions 2.6.13 and later are affected. Fixed in 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1 and their respective stable series.

Affected from

≥ 2.6.13

Fixed in

✓ 5.10.258 5.10.x ✓ 5.15.209 5.15.x ✓ 6.1.175 6.1.x ✓ 6.6.140 6.6.x ✓ 6.12.86 6.12.x ✓ 6.18.27 6.18.x ✓ 7.0.4 7.0.x ✓ 7.1-rc1

References

The following references provide additional information about CVE-2026-46022 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841
Patch
Kernel patch commit
https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9
Patch
Kernel patch commit
https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107
Patch

8 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-46022?

CVE-2026-46022 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 2.6.13 onward and has been patched in 5.10.258, 5.15.209, 6.1.175 and others. CVE-2026-46022 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-46022?

Yes — CVE-2026-46022 has been patched. Fixed versions include 5.10.258, 5.15.209, 6.1.175 and others. If you are running Linux kernel 2.6.13 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-46022 actively exploited?

No — CVE-2026-46022 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.